Saturday, August 22, 2015

XSS in Paypal (Bug Bounty)

I have found an XSS Vulnerability in Paypal. It is located on their main site (https://www.paypal.com/). Unfortunately my report was Duplicate, another researcher already found the bug. Anyway, here is the POC:

  


Duplicate:




Timeline:

June 1 ------ Bug found

June 3 ------ Confirmed the vulnerability, gave me a case number.

June 5 ------ Said it was duplicate :( 


Thats all. Thanks. 

XSS in Magento (Bug Bounty)

I got a XSS Vulnerability in Magento Commerce (www.magentocommerce.com/magento-connect/). They have a bug bounty program. I have reported it to their security team via email. However they didnt replied to me even a single reply. But, after 2 months.. They have replied and gave me a bounty of $60 :)
http://magento.com/security

Video POC:




 This is the Video POC.
    
POC Image:







Reward:

 



Timeline:

June 4 ----------- Reported

August 4 -------- Fixed

August 25 ------ Replied and gave  $60 bounty


SQL Injection in DLSU's main website

De La Salle University is one of the Philippines' most prestigious universities and is included in the "Top 4 universities and colleges in the Philippines". However, their site has an SQL injection vulnerability. I have reported it to them the past 2 years (since I was 3rd year High School) but got no reply.
There are many vulnerable parameters. Among them is this:
http://www.dlsu.edu.ph/faculty/fis/alpha_list.asp?letter=B%27

Notice the string (%27) which will say whether it can be injected or not.

POC: 



That's all












XSS in gov.ph --- Official Gazette

While randomly searching for websites to "pwn", I came across the website of the Official Gazette of the Republic of the Philippines (http://gov.ph) I just typed a payload in the search bar then voila! XSS vulnerable. I contacted them via Twitter and the XSS was fixed after a day. (they are serious on web vulnerabilities now, unlike before).




POC:



The vulnerable part was in their search bar.... Just type the payload you want. In my case I used the most common payload which is "><img src=x onerror=alert(document.domain)>.. 

Vulnerability has been fixed, check it out yourself :)


Thanks.


-----------No Timeline----------- 

XSS in Edmodo.com (Bug Bounty)

So this bug is about an XSS vulnerability I found in Edmodo. The bug is now fixed. They have responded for 3 days (pretty fast) and also fixed the vulnerability on the last day.


 Steps to reproduce:

1. To reproduce the issue. You must have, of course, an Edmodo account. 

2. Go to the upper left panel and you will see 3 symbols, click the left one which is the "Backpack".

3. Now after that, go to "Folders".. on the left pane.

4. Click new folder. And enter the payload.. Now here is the trick:
                     *Ordinary payloads like: "><img src=x onerror=alert(1)>
                                                         will be filtered... to bypass... I used this instead:
                                                              &#x3C;img src=x onerror=alert(5)&#x3e; 

5. Now click "Create"...

6. XSS Pop-up.


POC:





As a reward, they will give me goodies :)  like Edmodo mugs, T-shirt etc....




 Timeline:

August 17 ---- Reported and Triaged

August 18 ---- Vulnerability confirmed. Asked for my mailing address for reward delivery

August 19 ---- Vulnerability was fixed. 

 
Thats all. Thanks :)





Acknowledgements, Rewards and Hall of Fames

I have been Acknowledged by the following sites as of 2016:

*Google
*Facebook
*Microsoft
*Yahoo
*Apple
*Twitter
*Snapchat
*US Dept of Homeland Security - CERT
*Western Union
*Adobe
*Xero
*Github
*Romit/Robocoin
*AT&T
*Mail.ru
*Khan Academy
*Ubiquiti Networks
*Urban Dictionary
*Wepay
*Slack
*Greenhouse.io
*General Motors (GM)
*Blinksale
*Heroku
*Magento
*Pinterest
*ProtonMail
*Spokeo
*Tagged
*Zendesk
*Edmodo